In fact, the preparation of the deployment to be done in the TechNet Library has been explained in detail, but there are still some planning issues that need to be considered in the actual deployment process.
So, in this scenario, I'm going to deploy an environment that includes first-level WSUS and level two WSUS, and here's an example of what we're all going to do.
(i) System requirements
In fact, WSUS's hardware requirements for the system is not particularly high, for now, if the number of WSUS clients in the enterprise under 4000 units, 8G of memory enough. For the operating system, you can select Windows Server R2 SP1 (WSUS 3.0 SP2), or you can select a Windows Server 2012 system. At the same time, for the deployment of WSUS, you can choose a blade server, a rack server, or you can choose to deploy on the virtualization platform. The demo environment for this article is WSUS deployed on VMware's virtualization platform. For system requirements, there are a few caveats.
1. The Microsoft. NET Framework 4.0 must be installed on the server where the WSUS server role will be installed. This condition is already available and is installed by default for the Windows Server R2 operating system.
2. The NT authority\network Service account must have full control of the following folders so that the WSUS Administration snap-in displays correctly:%windir%\microsoft.net\framework\v4.0.30319\ Temporary ASP. This condition needs to be adjusted manually after the deployment has completed WSUS, and there is no such folder until WSUS is deployed, because IIS is not installed.
650) this.width=650; "title=" 106 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; border-left:0px;padding-top:0px;padding-left:0px;padding-right:0px; "border=" 0 "alt=" 106 "src=" http:// Img1.51cto.com/attachment/201405/4/639838_1399171533lgsb.png "height=" 484 "/>
Add the appropriate permissions.
650) this.width=650; "title=" 107 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; border-left:0px;padding-top:0px;padding-left:0px;padding-right:0px; "border=" 0 "alt=" 107 "src=" http:// Img1.51cto.com/attachment/201405/4/639838_1399171534xo3g.png "height=" 484 "/>
(ii) database requirements
For a database, you can select an internal database, and the deployment scenario for this article chooses an internal database. You can also select a SQL Server database, which is supported for SQL Server versions, as long as SQL Server R2 SP1 or later. If you select SQL Server, you will have one more step to select the DB instance.
650) this.width=650; "title=" "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; border-left:0px;padding-top:0px;padding-left:0px;padding-right:0px, "border=" 0 "alt=" "src=" http:// Img1.51cto.com/attachment/201405/4/639838_1399171535ukga.png "height=" 457 "/>
The WSUS database stores the following information:
WSUS Server configuration information
Metadata that describes each update
Information about client computers, updates, and interactions
(iii) Anti-virus exclusion requirements
Some manufacturers ' anti-virus software may have some impact on WSUS, so it is a good idea to plan for the antivirus exclusion of WSUS before deploying WSUS, and immediately after deployment, the antivirus is excluded. Microsoft recommends anti-virus exclusions for items such as.
650) this.width=650; "title=" "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; border-left:0px;padding-top:0px;padding-left:0px;padding-right:0px, "border=" 0 "alt=" "src=" http:// Img1.51cto.com/attachment/201405/4/639838_1399171535zvwk.png "height=" 225 "/>
(iv) Deployment architecture preparation
Before we deploy WSUS, we'd better plan the architecture for the whole company, and not deploy blindly, leading to some later maintenance problems.
The deployment of WSUS is divided into simple deployment and multiple deployment methods, if the enterprise client is not particularly large, then put a WSUS is enough, if the headquarters of more clients, and there are more clients than the number of branches or offices, you can consider multiple deployment methods to improve the efficiency of patch distribution. Is Microsoft's multiple WSUS server deployment architecture diagram.
650) this.width=650; "title=" ic661071[5] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;border-left:0px;padding-top:0px;padding-left:0px;padding-right:0px, "border=" 0 "alt=" IC661071[ 5] "src=" Http://img1.51cto.com/attachment/201405/4/639838_1399171536KLY5.gif "height=" 361 "/>
(v) WSUS server hierarchy planning
The WSUS server hierarchy deployment has several advantages:
You can download updates from the Internet one at a time, and then use a downstream server to assign updates to client computers. This method will save bandwidth on the enterprise Internet connection.
You can download the update to a WSUS server that is close to the actual client computer (for example, at a branch office).
You can set up a standalone WSUS server to service client computers in different languages using Microsoft products.
You can extend WSUS for large organizations where the number of client computers exceeds the effective management scope of a WSUS server.
We recommend that you do not create a three-level WSUS server hierarchy. Each level increases the time that updates are propagated to the entire connected server. While the theoretical hierarchy is not limited, Microsoft Corporation has tested only five levels of hierarchy deployment.
You can connect to the WSUS server in "autonomous" mode (designed for distributed management) or "Replica" mode (designed for centralized management).
In this example, we chose the autonomous mode in which the upstream WSUS server shares updates with the downstream server during synchronization. Manage downstream WSUS servers independently, and they do not receive update approval status or computer group information from upstream servers. Using Distributed management mode, each WSUS server administrator chooses to update the language, create computer groups, assign computers to groups, test and approve updates, and ensure that the correct updates are installed to the appropriate computer group. To show you how you might deploy an autonomous WSUS server in a branch office environment:
650) this.width=650; "title=" IC594401 "style=" Border-top:0px;border-right:0px;background-image:none;border-bottom : 0px;border-left:0px;padding-top:0px;padding-left:0px;padding-right:0px; "border=" 0 "alt=" IC594401 "src="/http Img1.51cto.com/attachment/201405/4/639838_1399171536vemi.gif "height=" 392 "/>
(vi) firewall configuration
If the company has a firewall between WSUS and the Internet, make sure that the firewall has turned on the WSUS to the following Microsoft site's communications. And if WSUS is placed in a dedicated server DMZ, to open the appropriate update port, in Windows Server 2012, WSUS 4.0 uses ports 8530 and 8531.
650) this.width=650; "title=" 151 "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px; border-left:0px;padding-top:0px;padding-left:0px;padding-right:0px; "border=" 0 "alt=" 151 "src=" http:// Img1.51cto.com/attachment/201405/4/639838_13991715377hjl.png "height=" 425 "/>
The above is a brief introduction to some of the major preparations to consider before deploying WSUS, and if you want to learn more about preparation, you can access the library documentation for WSUS, and other considerations such as optimizing branch office bandwidth, patch download mode, and so on.
This article from "Zeng Hung Xin Technical column" blog, declined to reprint!